Analysis by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

It lowers the security setting of Internet Explorer.

  TECHNICAL DETAILS

File Size: 131,072 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 16 Aug 2011

Installation

This spyware drops the following copies of itself into the affected system:

  • %System Root%\trivax1.Bin\trivax1.Bin.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following component file(s):

  • %System Root%\trivax1.Bin\config.bin

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\trivax1.Bin

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Recovery
ClearBrowsingHistoryOnExit = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyHttp1.1 = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPostRedirect = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnIntranet = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
ShownServiceDownBalloon = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\PhishingFilter
EnabledV8 = "0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
WarnOnPost = 0

(Note: The default value data of the said registry entry is 1.)

Rootkit Capabilities

This spyware also has rootkit capabilities, which enables it to hide its processes and files from the user.

Web Browser Home Page and Search Page Modification

This spyware lowers the security setting of Internet Explorer.

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}x.com/user/gate.php